[ previous ] [ next ] [ threads ]
 
 From:  "Brandon Holland" <brandon at cookssaw dot com>
 To:  "'Mark Spieth'" <mspieth at neod dot net>
 Cc:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] Feature request which would make m0n0wall even better ;)
 Date:  Tue, 27 Jan 2004 11:36:47 -0600
Very true.  About 2 months ago, out of morbid curiosity I found quite a
few access points near my place of business.  Almost all of them are
online too.  (http://www.wigle.net Is one such site that catalogs war
driver findings)

Think about war drivers.  They find your network and post it online.  I
don't know about your grandpa, but even MINE thinks it's pretty dumb.
He'd rather not have one, than have one that'll open his door to 12 year
old "1337 hh@x0rs" or whatever they call themselves.

I'm responsible for a few spottings myself.  Go to wigle.net and
download a map for your area.  How many AP's has your innocent son found
and posted online for you?  Maybe your AP (which may or may not be
broadcasting it's SSID) is up there too.  Just find your lat and long
and see if there's a dot :)

BTW: about wireless sensitivity.  Just because your laptop can't reach
the network outside the house, it doesn't mean that my Pringles can
can't either.

Brandon

-----Original Message-----
From: Mark Spieth [mailto:mspieth at neod dot net] 
Sent: Tuesday, January 27, 2004 11:02 AM
To: m0n0wall at lists dot m0n0 dot ch
Subject: RE: [m0n0wall] Feature request which would make m0n0wall even
better ;)

>> In a home network, having everything in one box isn't as risky.  For
one
>>thing, home networks aren't "juicy" targets like company networks are.

This is an extremely incorrect statement, Infact most script kiddies
(which comprise most of the hacking attempts) do huge scans on network
addresses they have no idea who they are hacking, and would hack a home
machine first, you are less likely to get caught or even have the end
user know the system was compromised. Once the home machine is hacked
they will then use it to go after other systems. 
 

-----Original Message-----
From: Jim Gifford [mailto:jim at giffords dot net] 
Sent: Tuesday, January 27, 2004 11:49 AM
To: m0n0wall at lists dot m0n0 dot ch
Subject: Re: [m0n0wall] Feature request which would make m0n0wall even
better ;)

On Tue, Jan 27, 2004 at 11:08:50AM -0500, Mark Spieth wrote:
> This is BAD BAD BAD BAD BAD! I can repeat it some more if you want...
A
> firewall should just be a firewall period end of story. If people
would
> keep things updated, then it might be a different case, But they
won't,
> hell I still see code red attacks out there.. 

For a company network, the firewall should only do firewall.  Separate
secure boxes inside the network should provide additional services.

In a home network, having everything in one box isn't as risky.  For one
thing, home networks aren't "juicy" targets like company networks are.

A real world physical example that might put this into perspective:

    At the last place I worked, we had proximity access cards.  You
    needed the card to get in the front door outside of normal hours.
    You needed the card to access the stairs and elevator from the
    ground floor.  You needed the card to access the machine rooms.
    There is a complicated alarm system, with dialout and cellular links
    to contact the alarm monitoring people.

    In my house, I have 1 key that fits both doors, and I keep the
    doors locked at all times (aside from during egress/ingress).
    I don't have a fancy alarm system.  I have one cat that might love
    an intruder to death.  I have several computers, some expensive home
    entertainment equipment, and standard appliances and furniture.

I don't have as strong or as expensive a security setup at home as they
had at work.  On the other hand, I have less than 30,000 dollars worth
of
stuff (that is likely a very high number actually), whereas the company
had several tens of millions of dollars worth of equipment.  Their risk
was greater, so their security measures were greater.

> The end result is and will be that these insecure *nix boxes running
all
> this extra software, will get hacked, now personally if you put extra
> stuff on your firewall and it gets hacked, and the hacker then deletes
> all your companies accounting files so that you don't get a paycheck,
I
> really could care less, But that won't be the end of it, They will
then
> use that hacked box to go hacking other peoples boxes including ones I
> manage and that's where I have a problem. You want NTP etc.. Go buy a
> $25.00 PII300 used box and run NTP behind your firewall, no guarantee
it
> won't get hacked, But your chances are much better than running it,
> samba and a whole mess of other things on your box...

In a home, many people *will not* dedicate 5 computers just for
"infrastructure".  1 or 2 perhaps, but even that is a stretch.  m0n0wall
on a soekris has the benefit of looking like a device instead of a
computer.  *grin*  In a home, people often don't have a DMZ, nor do they
generally need one.

If someone is running a network gateway with a lot of extra services
(including firewall, etc), and they are aware of the risks, then if they
get compromised, they will have to live with that.

I personally will be having my firewall only be a firewall (and once I
get my big server rebuilt, I'll turn off DHCP on the m0n0wall and put it
on the server instead).

Also consider that every extra machine you add has an OS and software
that must be kept up to date.  Someone has to manage that machine,
and stay on top of patches.  In a company network those costs are
expected.  In a home network, most people simply want things to work
without having to spend a lot of time making them work.

> Mark

jim

---------------------------------------------------------------------
To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch


---------------------------------------------------------------------
To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch